Merge #3191

3191: Ensure we also pin ISRG X2 in TLSA r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? Ensure we also pin ISRG X2 in TLSA; some users may have opted-in, the CA may change where they issue from, ... this is future-proofing. ### Related issue(s) - #3187 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2025-05-31 23:10:01 +02:00 · 2024-03-11 15:41:12 +00:00 · 2024-03-11 15:41:12 +00:00 · 42cdd12ab3
commit 42cdd12ab3
parent f44a7b3066 a1d8ff630f
5 changed files with 16 additions and 12 deletions
--- a/core/admin/mailu/api/v1/domain.py
+++ b/core/admin/mailu/api/v1/domain.py
@ -39,20 +39,20 @@ domain_fields_get = api.model('DomainGet', {
    'dns_autoconfig': fields.List(fields.String(description='DNS client auto-configuration entry')),
    'dns_mx': fields.String(Description='MX record for domain'),
    'dns_spf': fields.String(Description='SPF record for domain'),
-    'dns_dkim': fields.String(Description='DKIM record for domain'),
+    'dns_dkim': fields.String(Description='DKIM records for domain'),
    'dns_dmarc': fields.String(Description='DMARC record for domain'),
    'dns_dmarc_report': fields.String(Description='DMARC report record for domain'),
-    'dns_tlsa': fields.String(Description='TLSA record for domain'),
+    'dns_tlsa': fields.List(fields.String(Description='TLSA records for domain')),
 })

 domain_fields_dns = api.model('DomainDNS', {
    'dns_autoconfig': fields.List(fields.String(description='DNS client auto-configuration entry')),
    'dns_mx': fields.String(Description='MX record for domain'),
    'dns_spf': fields.String(Description='SPF record for domain'),
-    'dns_dkim': fields.String(Description='DKIM record for domain'),
+    'dns_dkim': fields.String(Description='DKIM records for domain'),
    'dns_dmarc': fields.String(Description='DMARC record for domain'),
    'dns_dmarc_report': fields.String(Description='DMARC report record for domain'),
-    'dns_tlsa': fields.String(Description='TLSA record for domain'),
+    'dns_tlsa': fields.List(fields.String(Description='TLSA records for domain')),
 })

 manager_fields = api.model('Manager', {
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@ -282,8 +282,13 @@ class Domain(Base):
        """ return TLSA record for domain when using letsencrypt """
        hostname = app.config['HOSTNAME']
        if app.config['TLS_FLAVOR'] in ('letsencrypt', 'mail-letsencrypt'):
-            # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
-            return f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3'
+            return [
+                # current ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) @20210902
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3',
+                # current ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) @20240311
+                f'_25._tcp.{hostname}. 86400 IN TLSA 2 1 1 762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332',
+            ]
+        return []

    @property
    def dkim_key(self):
--- a/core/admin/mailu/ui/templates/domain/details.html
+++ b/core/admin/mailu/ui/templates/domain/details.html
@ -48,11 +48,10 @@
  </td>
 </tr>
 {%- endif %}
-{%- set tlsa_record=domain.dns_tlsa %}
-{%- if tlsa_record %}
+{%- if domain.dns_tlsa|length > 0 %}
 <tr>
-  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt</br>ISRG Root X1</span></th>
-  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ tlsa_record }}</pre></td>
+  <th>{% trans %}DNS TLSA entry{% endtrans %}</br><span class="text-secondary text-xs font-weight-normal">Let's Encrypt ISRG Roots</span></th>
+  <td>{{ macros.clip("dns_tlsa") }}<pre id="dns_tlsa" class="pre-config border bg-light">{{ domain.dns_tlsa | join("\n") }}</pre></td>
 </tr>
 {%- endif %}
 <tr>
--- a/core/admin/mailu/ui/views/domains.py
+++ b/core/admin/mailu/ui/views/domains.py
@ -81,8 +81,7 @@ def domain_download_zonefile(domain_name):
        txt = ' '.join(f'"{txt[p:p+250]}"' for p in range(0, len(txt), 250))
        res.append(f'{record} {txt}')
        res.append(domain.dns_dmarc)
-    if domain.dns_tlsa:
-        res.append(domain.dns_tlsa)
+    res.extend(domain.dns_tlsa)
    res.extend(domain.dns_autoconfig)
    res.append("")
    return flask.Response(
--- a/towncrier/newsfragments/3191.feature
+++ b/towncrier/newsfragments/3191.feature
@ -0,0 +1 @@
+Ensure that we encourage users to also pin ISRG X2 in their TLSA records
				`@ -0,0 +1 @@`
				`Ensure that we encourage users to also pin ISRG X2 in their TLSA records`